Siemens Process Automation End-user Summit- 2011 Experience. Technology. Community
SIMATIC PCS 7 Process Safety Jean-Luc Gummersbach I IA AS PA PRM1
Global market trend in Process Safety Process Safety Market is growing with an annual rate of 5.8% Market will exceed $2 billion in 2014 From 2013 onwards accretion rates of >7% are expected Biggest share of sales volume is in hardware, including bundled software Source : ARC - Process Safety System Worldwide Outlook 2009 through 2014
Global market trend in Process Safety Development of Market Shares (2009 2014) Total Shipments of Process Safety Systems by World Region EMEA market share will decrease from 47.4 % to 43.7 % (775 -> 946 ) Asia market share will increase from 27.1 % to 32.2 % (443 -> 697 ) Latin America market share is stable at 8.7 % (142 -> 188 ) North America market share will decrease from 16.8 % to 15.4 % (275 -> 334 ) Source : ARC - Process Safety System Worldwide Outlook 2009 through 2014
Global market trend in Process Safety Trends in Process Safety Products Integration between BPCS & SIS Scalability Use of common components Better diagnostics Comprehensive lifecycle support SIMATIC PCS 7 ES & OS BPCS = Basic Process Control System SIS = Safety Instrumented System SIMATIC S7-400FH
Market Expectation / Customer Requirements Product related requirements continue integration of standard and safety system improve use and access control better system support for upgrades and application changes improve On-Line-Change Capability consider Cyber Security for SIS especially in the asian market : F-AO
Market Expectation / Customer Requirements Services Process Safety Consultancy: E.g. how to develop safety conform concepts in accordance to existing regulations and standards Functional Safety Workshops & Trainings Engineering Services by supplier or partner Implementation Guidelines Engineering and Planning Guidelines Functional Safety Management (FSM) following IEC61511 (Documentation, project management, validation, )
QMR and TMR technology in the market TMR ICS Triplex Trusted (Rockwell Automation) Single or Redundant Controller each with 3 CPUs SIL 3 3-3-2-0 fault tolerant control system Fault behavior (e.g. CPU fault) Faulty CPU will stop others still run Complete controller has to be exchanged by a new one Faults which are on a common part causes a stop of the controller Same behavior as the Siemens System Siemens controller goes directly into the safe state Siemens controller does not run with internal faults
QMR and TMR technology in the market TMR Triconex Tricon (Invensys) 3 Controller each with 1 CPU Degradation 3-2-1-0 Fault behavior Faulty controller goes to safe state Faulty controller has to be exchanged Degraded mode with time restriction No continuous operation in Dual Mode or Single Mode for SIL 3 No continous operation in Single Mode for SIL 2 3 Controller are required for SIL 3
QMR and TMR technology in the market QMR - HIMA HIQUAD Single or redundant controller each with 2 CPUs Fault behavior CPU Fault Faulty Controller goes to safe state Faulty Controller has to be exchanged Other Controller faults Faulty Controller goes to safe state Faulty Controller has to be exchanged Same behavior as the Siemens System
QMR and TMR technology in the market Strength Robust High Availabilty Concept Comprehensive IO module range Well established Safety Systems Large installed base Weakness Controllers have to be installed in one chassis System is not integrated into a DCS system no integrated solution Additional engineering tool is required Additional bus system for the safety communication is required Redundant or Hot Swap IO has to be placed besides the first I/O module in the same rack or chassis (Tricon) High Common-Cause failure
Flexible Modular Redundancy (FMR) DI Simplex Dual 1oo1 LS DI Triple 1oo2 Valves 2oo3 PT
Flexible Modular Redundancy DI Make any component redundant
Software Execution Time redundancy and software diversity instead of using two CPUs (hardware redundancy) Time redundancy and instruction diverse processing Logical program execution and data flow monitoring Bool and Word operations processed in different parts of the CPU 2 independent hardware timer Operands A, B (Bool) Operation = C Result Diversity Operands Encoding AND OR Comparison Stop At D /C Diversity /A, /B (Word) Operation = D = /C Diversity Result Time redundancy Time
Flexible Modular Redundancy DI Make any component redundant Physically separate redundant resources DI
Flexible Modular Redundancy DI Make any component redundant Physically separate redundant resources DI Mix and match redundancy
Flexible Modular Redundancy Dual DI Make any component redundant Physically separate redundant resources DI Mix and match redundancy Simplex Triple
Flexible Modular Redundancy DI Dual Make any component redundant DI Physically separate redundant resources Mix and match redundancy Tolerate multiple faults with no impact on safety Simplex Triple
Flexible Modular Redundancy (FMR) Safety Integrity Level up to SIL 3 with one controller Highest Safety Integrity Level Highest Flexibility Separate or combine safety and standard application in one CPU Use redundancy for safety only where it is needed Parallel use of PROFIsafe on PROFIBUS Highest Availability through Multiple Fault Tolerance Architecture allows system to tolerate multiple faults IO redundancy independent of CPU redundancy IO and device redundancy can be matched to maximize availability Cost reduction Use redundancy only where you need it for safety or availability
SIL Verification acc. IEC 61508 and IEC 61511 IEC61508 IEC 61508 serves as the basic standard and basis for safety standardization. It covers all areas where electrical, electronic or PLC systems are used to realize safety-related protection functions. IEC61511 There are sector-specific standards based on IEC 61508, such as IEC 61511 for the process industry or IEC 61513 for the nuclear industry These sector standards are important for planners and operators of corresponding plants.
SIL Verification acc. IEC 61508 and IEC 61511 Determination of the maximum SIL for E/E/PE safety related subsystem Example in IEC 61508-2 (Clause 7.4.4.2.3) Both element 1 and element 3 restrict the maximum SIL that can be claimed to just SIL 1 E/E/PE = electrical and/or electronic and/or programmable electronic
SIL Verification acc. IEC 61508 and IEC 61511 Verification of the Safety Integrity Level (SIL) of the hardware for the safety instrumented system (SIS) Structural suitability demands on hardware fault tolerance (HFT) Safety related probability of failure on demand (PFD)
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Architecture and Hardware Fault Tolerance Sensor Part Transmitter HFT = 0, Proven in use => SIL 2 Power Supply HFT = 0 => SIL 1 Sensor Part SIL 1 SPAES Hardware 2011 failure Goa, tolerance India / requirements Siemens according AG 2011. to All IEC Rights 61511-1 Reserved. clause 11.4
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Architecture and Hardware Fault Tolerance Logic System (Controller and IO) IO SIL 3 certified according to IEC 61508 => SIL 3 Controller SIL 3 certified according to IEC 61508 => SIL 3 Communication SIL 3 certified according to IEC 61508 => SIL 3 Logic System SIL 3
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Architecture and Hardware Fault Tolerance Final element Relay HFT = 0, Proven in use => SIL 2 MCC HFT = 0, Proven in use => SIL 2 Final element SIL 2 Hardware failure tolerance requirements according to IEC 61511 clause 11.4
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Architecture and Hardware Fault Tolerance Total system Sensor part = SIL 1 Logic system = SIL 3 Final element = SIL 2 Total system = SIL 1
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Probability of Failure on Demand PFD Total PFD S = 5.68E-4 PFD = 4.10E-4 L PFD FE = 1.77E-3 PFD Total = 5.68E-4 + 4.10E-4 + 1.77E-3 PFD Total = 2.75E-3 Total system = SIL 2
SIL Verification acc. IEC 61508 and IEC 61511 Sensor Power Communication CPU Communication Relay MCC Architecture and Hardware Fault Tolerance Result SIL 1 Probability of Failure on Demand Result SIL 2 Overall Result SIL 1 Architecture must be changed to claim higher SIL
SIL Verification acc. IEC 61508 and IEC 61511 1oo2 Sensor Sensor Power Power Logic system and IO Relay MCC Architecture and Hardware Fault Tolerance Result SIL 2 Probability of Failure on Demand Result SIL 2 Result All Over SIL 2 Hardware failure tolerance requirements according to IEC 61511 clause 11.4
We wish you a successful meeting! Questions? Jean-Luc Gummersbach PCS 7 Product Management I IA AS PA PRM1 E-Mail: gummersbach.jean-luc@siemens.com